[thelist] ASP Question - Converting varchar to data type

Ken Schaefer Ken at adOpenStatic.com
Thu Dec 6 17:30:50 CST 2007


Just be aware that your code, as it was posted, is vulnerable to SQL Injection attack...

Cheers
Ken

-----Original Message-----
From: thelist-bounces at lists.evolt.org [mailto:thelist-bounces at lists.evolt.org] On Behalf Of L L
Sent: Friday, 7 December 2007 6:06 AM
To: thelist at lists.evolt.org
Subject: Re: [thelist] ASP Question - Converting varchar to data type



Thanks - this (adding the single quotes) did the job!  The column in the db table is a varchar type,
as it contains those dashes.  The SQL statement wasn't using the single quotes
which was causing that error (converting a field from int to varchar during
query).
-Louis


Message: 6
Date: Thu, 6 Dec 2007 11:37:49 -0500
From: "Phillip Ciske" <pciske at gmail.com>
Subject: Re: [thelist] ASP Question - Converting varchar to data type
 int
To: "thelist at lists.evolt.org" <thelist at lists.evolt.org>
Message-ID:
 <e73019a80712060837w19633b0ctb537fcdc37b1dd9e at mail.gmail.com>
Content-Type: text/plain; charset=ISO-8859-1

> I'm working in ASP and have a data input page which has a 'unique id
 generator' that is in this format xxxx-xx-xxx-xxx, with the x's being
 all numeric.  The database column is set up to be 'varchar' to allow for
 the dashes.
> for this code:
> <%strSQL = "SELECT * FROM AMS where MinutesID = " & Request ("id")%>
>
> Is there a way to convert the request string to varchar/non-numeric
 so that the two can be compared, etc?

If Request("id") is a string, you will need single quotes around the
value in your SQL. For the string xxxx-xx-xxx-xxx, the SQL will
become:

SELECT * FROM AMS WHERE MinutesID = 'xxxx-xx-xxx-xxx'

Your strSQL variable becomes:

<%strSQL = "SELECT * FROM AMS WHERE MinutesID = '" & Request("id") &
 "'" %>

Phillip





More information about the thelist mailing list